Cybersecurity is like Football and You Need a Playbook

by Katherine Bodendorfer

02/14/2019

Millions of Americans recently hosted friends, made big pots of chili, and gathered around television sets to watch Super Bowl LIII. While there was a lot of prep on the viewers’ side, imagine the prep hours spent by the athletes playing in the game. Their dedication to drills, film study, and situation preparedness. Their preparation for relentless assaults, powerful counterattacks, and trick plays. Cybersecurity is a lot like football.

With the big game still fresh in our minds, let’s apply a football framework to cybersecurity. It is relatable, engaging, and easy to understand. Like a football team, cybersecurity has a large ecosystem of suppliers and people, faces a multitude of challengers, is regularly a target, and has a constantly evolving game plan.

So let’s establish a playbook:

1) Coaches prepare teams

Almost every American football team has more than one coach. The typical NFL team averages 15 assistant coaches. Think of the Chief Information Security Officer (CISO) as the defensive coach, he/she is the senior-level executive within an organization and is responsible for preparing for confrontations.

During a game, a defensive coordinator has a group of coaches under him that monitor what plays or formations the offense is utilizing. Similarly, the CISO provides leadership and day-to-day coordination for securing and protecting information resources. The CISO, like the defensive coordinator, uses the information collected to adjust and shift defenses to prevent successful attacks.

To lead a team, an effective CISO is involved with all parties. That’s right, all parties. A lack of governance can lead to problems, such as a CEO not having a clear picture of a significant cyber problem, or inadequately trained senior staff.

2) Weakest links are targets

If a team has a weak offensive line, the opposing defense will use exotic blitz packages to exploit it. Much like defensive players, hackers and malicious actors look for weak access points in the operation technology (OT) network or its connected devices.

Missing software updates and out of date operating systems are examples of common weak links. Patch managers like DameWare enable you to leverage and manage patches across third party lines. ZENworks is another patch management solution that retrieves and deploys the right patches to the right machines at the right times.

3) Lots of Practice

Teams do not win by sitting in a circle discussing strategies without practicing and getting hands-on experience. A cyber analyst must be similarly engaged in real activity, leveraging security controls and real-life attacks against threat vectors.

The “coaching staff” must devise a playbook that will vary each week depending on the adversary and adapt as defense and offense strategies carried out by attackers evolve. Offensive coaches are constantly analyzing films, diagramming plays, and ensuring their team can practice.

Keeping pace is incredibly hard for cyber professionals, because unlike football, calling a ‘time-out’ is not an option. Thus, completing practical training is essential. Consider challenging your star players by leveraging a virtual environment where your employees can get their hands on technology, develop best practices, and improve their skills. Palo Alto Networks and SkillsFox offer cybersecurity practice labs with real-world scenarios and step-by-step lab guides.

4) Build up a cyber culture like Texas schools build up football culture

Texas has a tremendous amount of football talent because of the traditional football culture and a public-school system that invests heavily in the sport.

Building a nationwide cyber culture that makes cybersecurity a viable option for private industries is an enduring challenge. In many sectors, like the energy sector, it is often a single person or a small batch of people who handle cybersecurity matters. While these individuals may be mindful of threats and follow compliance requirements like NIST, they sometimes lack comprehensive and broad knowledge on cyber risks. More importantly, those not involved in cyber operations operate outside of the spectrum. This is an issue because security culture is not keeping pace with the threat landscape.

Building a healthy cybersecurity culture is possible and it transforms security from a one-time event into a lifecycle that generates returns. There are a few main components:

-Instill the concept that security belongs to everyone by incorporating security at the highest levels into a company’s mission. This does not mean only involving IT talent or those with security in their title (CSO, CISO), but also the upper echelons like C-level executives and lower-tier managers. Everyone needs to stop ignoring the blind-spots and get a bit more technical. Understand cyber risk the same way financial, health or safety risk is understood.

-Focus on awareness and teach your entire staff about cybersecurity risks. Consider making a small investment in KnowBe4, a cybersecurity awareness and training platform that can help train employees to better manage the critical IT security problems of social engineering.

-Invest in local talent and develop them further. CompTIA-Cybersecurity Analyst + Prep Course can teach advanced lessons to those on the front lines of defense and improve their ability to analyze, monitor, and protect critical infrastructures.

5) The best defense is a good offense

This resonates in the business world. Organizations cannot simply shut down their operation because of a patch insufficiency. Business owners who provide companies with a strategic offense will be less vulnerable to cyber threats than those that are constantly playing defense against threat vectors.

In football, taking the time to plan ahead and change your defensive schemes goes a long way toward keeping those offensive attackers frustrated and a step behind. Similarly, hackers and other bad actors find it difficult to conduct cyber operations against companies that employ persistent engagement and defend forward. Investing in both sophisticated defensive and offensive capabilities is investing in the future.